Open source security with Sonatype | Amazon Web Services
Key Takeaways
The video discusses open source security with Sonatype and Amazon Web Services, focusing on malware and vulnerabilities in open source software, and strategies to protect environments, including the use of repository firewalls and Sonatype intelligence.
Full Transcript
Hi folks, I'm Dylan. I'm a solutions architect at AWS and I'm here with Tyler. >> Hey all, I'm Tyler Warden. I'm the head of product at Sonotype. >> Today we're talking about open source malware. Uh obviously Sonotype's leader in open source. But before we jump into what malware is, why don't we talk about what malware and vulnerabilities are. I know it's a distinction that you know security engineers get caught up in a lot. I think it's worth chatting about. >> So let's pretend Dylan that you are the owner of a nightclub. So, we've got Dylan's nightclub here, right? And you've got a bunch of people outside your nightclub really excited to come in and go and go party. And your nightclub here has a window that you have opened. This is a good representation of a vulnerability. Anybody could sneak into your nightclub, but they would have to be in line, see the window, look that they need to, let me get up there. I might be able to break in and go get something out of the safe. Okay, this is a vulnerability. Malware is there is a bad guy already in your nightclub casing the joint and robbing it. >> Okay, >> malware is an attack that's happening. A vulnerability is something that could happen. >> Okay, that makes a lot of sense. And so when you think about defining this, you know, how does this translate over to software? >> Sure. So if you think about uh open-source software here and so if this is the amount of open source and this is time over the years the amount of open source has just exponentially increased right and what we've seen over the last few years is these these bad guys here that might be scoping out the joint have saw that well if this is increasing maybe we could attack we could attack here. So, we've seen a rise in open-source uh malware that has risen over the years and you know, we've talked a lot about generative AI and how that's helping people code faster. Well, bad guys have that too. So, it's easy to create open source malware that's increasing um exponentially. So, when it comes to software, there's vulnerabilities that people put into their code. Maybe they put in vulnerable open source, but there's also now malware designed disguised as open source that can go in and attack and actually break into your development shop. In this case, your nightclub. >> Gotcha. Can we talk about like a specific example of what that would look like? I know there was a recent uh now for folks watching, we're in 2025 as we approach end of the year. There was a recent vulnerability and an exploit with npm. >> Yeah. So, there are plenty of vulnerabilities, but you're talking about the recent malware attacks. There's really a big couple of types if if these are are bad actors. One of them is we call it potentially unwanted applications. This is functionality that you did not intend when you brought it in protest where and other things. But there's a lot worse class of things like data xfill um code execution remote code execution and other capabilities that are disguised as good open source that can come in and where it attacks is your development infrastructure. So your developers your build this lives in the development shop uh that it's attacking the developers machines and and similar uh areas in the SDLC and build pipelines. >> Okay. Okay. So, say that you are leading an organization in your company. You're working at a financial services company. Yeah. How do you construct your you know your developer pipelines and your your your corporate strategy around this? >> So, when organizations brought this problem to us, we developed uh a solution that is essentially your bouncer at the door. So now everybody that comes in, every piece of open source has to get through this bouncer. And this bouncer is going to say one of three things. Hey man, you're good. welcome in. Have a good time. Or, oh, your picture's on the wall. We've seen you. You can't come in here again. Or the hardest one and the item that we're kind of most proud of is, hey, we've never seen this before, but you look kind of suspicious. I'm going to take you over here and question you first and see are you going in or are you going out? So this idea of scanning on the way in, not once your developers are are building it, not when it's in your product already, but the best practice, the best thing you can do is as these people try to enter into your nightclub, as they try to enter into your um SDLC, let's stop the ones that we don't want that are designed to hurt from coming in at all. >> And and that's where firewall comes in. >> Yeah. Right. And so this product for us is called the repository firewall is this bouncer here that's designed to keep the worst of of the worst out. >> Gotcha. And so from an organizational standpoint, you know, from Snotype's perspective is you know leaders in the space is that something like at an organizational level you have one repository that you use that you then each team will borrow from and uh how does that look like? >> Right. So in in an ideal world, you would have all of your developers working through a binary artifact repository so that every request that's made either by a human or by an agent or by an AI coding assistant works through the repository and gets checked by the bouncer at the door on the way back in. Either they're allowed in or they're asked to leave. Right now, we know that change management can be in the case where maybe this goes across the entire enterprise or maybe it's team by team. But the best practice if you're building from scratch, if you can do the best uh thing for your business is you get all the benefits of a well uh run software supply chain with your repository and then the protection from the repo across the entire uh enterprise between your repository firewall and your repo is really the best practice. uh if if if you can do it and what we encourage people to do because you can actually your builds are faster, your builds are more secure, it's easier to ship software so you get to go fast while you're being secure. >> Last question, what is differentiate sonotype intelligence versus just using uh direct to you know for example npm or maven etc. So if you think about how fast open source is going, the sonotype intelligence has 85 plus data feeds that feed it on the day-to-day basis. And here's the stat that I'll leave you with. The NVD, the National Vulnerability Database, has about 400,000 vulnerabilities. At last count, when I checked this morning, Sonotype has around 69 million vulnerabilities in our database. So not only from a vulnerability perspective, we have identified over 1 billion pieces of malware and the next closest on the block is about a thousand. So by having that deepest and broadest and fastest uh data set and intelligence, you get the best protection policy, you get the biggest buffest MMA fighting bouncer that that you can have that also has a bunch of AI power behind it. So your bouncer can actually predict whether the person coming in is good or bad. >> Awesome. Well, thanks for that overview. >> Thank you. Appreciate it.
Original Description
Tyler, SVP of Product at Sonatype, and Dylan, Solutions Architect at AWS, discuss malware and open source and the state of the landscape, with open source adoption growing at exponential rates, and strategies to protect your environment.
Subscribe to AWS: https://go.aws/subscribe
Create a free AWS account: https://go.aws/signup
Try AWS for free: https://go.aws/free
Connect with an expert: https://go.aws/contact
Explore more: https://go.aws/more
Next steps:
Explore on AWS in Analyst Research: https://go.aws/reports
Discover, deploy, and manage software that runs on AWS: https://go.aws/marketplace
Join the AWS Partner Network: https://go.aws/partners
Learn more on how Amazon builds and operates software: https://go.aws/library
Do you have technical AWS questions?
Ask the community of experts on AWS re:Post: https://go.aws/3lPaoPb
Why AWS?
Amazon Web Services is the world’s most comprehensive and broadly adopted cloud, enabling customers to build anything they can imagine. We offer the greatest choice of innovative cloud capabilities and expertise, on the most extensive global infrastructure with industry-leading security, reliability, and performance.
#AWS #AmazonWebServices #CloudComputing #Devops #OpenSource
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Amazon Web Services · Amazon Web Services · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Agentic AI Design Patterns Introduction and walkthrough | Amazon Web Services
Amazon Web Services
Galileo on modernizing on banking infrastructure | Amazon Web Services
Amazon Web Services
Alliander Speeds Innovation and Energy Transition Using AWS | Amazon Web Services
Amazon Web Services
AWS and Scuderia Ferrari HP streamline F1 power unit assembly | Amazon Web Services
Amazon Web Services
How AWS machine learning supports Scuderia Ferrari HP pit stops | Amazon Web Services
Amazon Web Services
Nasdaq Builds Market Infrastructure of the Future with AWS | Amazon Web Services
Amazon Web Services
AWS Security Hub Exposure Findings | Amazon Web Services
Amazon Web Services
How do I use Session Manager port forwarding to connect to my EC2 instance through RDP?
Amazon Web Services
How do I extend an EBS volume with LVM partitions?
Amazon Web Services
AWS Graviton makes it easy to optimize performance, cost, and sustainability | Amazon Web Services
Amazon Web Services
Run Cloud Adoption Framework workshops with Miro | Amazon Web Services
Amazon Web Services
Getting Started with AWS Cost Optimization Hub | Amazon Web Services
Amazon Web Services
Why did my Amazon SQS messages get sent to a dead-letter queue?
Amazon Web Services
Declarative Policies for EC2 | Amazon Web Services
Amazon Web Services
How do I troubleshoot IAM permission issues for the Billing and Cost Management console?
Amazon Web Services
Integrity at Scale: Inside the Flo Health Mission | Amazon Web Services
Amazon Web Services
Fueling Success: Small shifts, powerful performance | Amazon Web Services
Amazon Web Services
WEX enhances customer experience with AI-powered chatbot | Amazon Web Services
Amazon Web Services
Accelerate troubleshooting with Amazon CloudWatch investigations | Amazon Web Services
Amazon Web Services
Why is my Windows WorkSpace stuck in the starting, rebooting, or stopping status?
Amazon Web Services
Telemetry Pipelines for AI | Amazon Web Services
Amazon Web Services
Getting Control over Security and Observability Data | Amazon Web Services
Amazon Web Services
The Problem with Telemetry Data Volume | Amazon Web Services
Amazon Web Services
Telemetry Pipelines on AWS | Amazon Web Services
Amazon Web Services
What are Telemetry Pipelines? | Amazon Web Services
Amazon Web Services
Using AI for RegEx on Telemetry Pipelines | Amazon Web Services
Amazon Web Services
Multi-Session Support in the AWS Console | Amazon Web Services
Amazon Web Services
How CloudHedge delivers assessment with AWS ISV Tooling Program at no cost?
Amazon Web Services
How customers speed up migration and modernization to AWS with CloudHedge | Amazon Web Services
Amazon Web Services
Chaos Experiment with Amazon ElastiCache | Amazon Web Services
Amazon Web Services
Amazon S3 Access Points: Easily manage access for shared datasets on S3 | Amazon Web Services
Amazon Web Services
ElastiCache Valkey 8.0 - Savings and Efficiency | Amazon Web Services
Amazon Web Services
Pennymac scales document processing with AWS | Amazon Web Services
Amazon Web Services
AWS | Next Level Innovation | Amazon Web Services
Amazon Web Services
Driving Cloud Innovation: Mindtickle's Partnership with AWS Enterprise Support | Amazon Web Services
Amazon Web Services
A Leader's Edge from Executive Insights | Amazon Web Services
Amazon Web Services
How do I create a custom Amazon WorkSpaces image?
Amazon Web Services
Charles Leclerc tests his AI-generated race track | Amazon Web Services
Amazon Web Services
Redington Scales India’s Cloud Access with AWS Partnership | Amazon Web Services
Amazon Web Services
How do I prevent the resources in my CloudFormation stack from getting deleted or updated?
Amazon Web Services
How do I troubleshoot authentication errors when I use RDP to connect to an EC2 Windows instance?
Amazon Web Services
Exploring the Possibilities of Digital Twin & AI at the Edge | Amazon Web Services
Amazon Web Services
Exploring the Possibilities of Digital Twin & AI at the Edge | Amazon Web Services
Amazon Web Services
AWS at the FORMULA 1 AWS GRAN PREMIO DELL'EMILIA-ROMAGNA 2025 | Amazon Web Services
Amazon Web Services
What's new in RCPs | Amazon Web Services
Amazon Web Services
API Caching using Amazon ElastiCache | Amazon Web Services
Amazon Web Services
Pendula: Amazon Nova Customer Testimonial | Amazon Web Services
Amazon Web Services
InDebted : Amazon Nova Customer Testimonial | Amazon Web Services
Amazon Web Services
Amazon DynamoDB global tables with multi-Region strong consistency | Amazon Web Services
Amazon Web Services
Siemens Mobility uses AWS to operate securely, efficiently on a global scale | Amazon Web Services
Amazon Web Services
How do I reuse a knowledge base session in Amazon Bedrock?
Amazon Web Services
EP5: MBZUAI, CMU : Causal AI, Answering The “Why“ and “What if“ Questions | AWS for AI Podcast
Amazon Web Services
Hema scales time to market developing a data mesh on AWS (Technical) - Cloud Adventures
Amazon Web Services
Hema scales time to market developing a data mesh on AWS (Business) - Cloud Adventures
Amazon Web Services
How Langfuse Scaled Their AI Platform with AWS: From Open-Source to Enterprise | Amazon Web Services
Amazon Web Services
SLMs and LLMs: What’s the Difference? | Amazon Web Services
Amazon Web Services
SLMs and LLMs: When to use them? | Amazon Web Services
Amazon Web Services
SLMs on CPU | Amazon Web Services
Amazon Web Services
Intelligent Model Routing | Amazon Web Services
Amazon Web Services
SLMs, LLMs, and Model Routing in Agents | Amazon Web Services
Amazon Web Services
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Is Multi-AZ Enough for Disaster Recovery? What DORA Actually Asks of Your Application
Dev.to · Alex
When fastembed silently rotted my worker: anchor your caches, don't trust /tmp
Dev.to · yogeshchavan2008
Turn redacted HarnessDelta findings into native CI review artifacts
Dev.to · Nekoautomata Miki
100 Days of DevOps and Cloud (AWS), Day 11: A WAR File Deploys Itself, and an ENI Is a Network Card You Can Move
Dev.to · Nnamdi Felix Ibe
🎓
Tutor Explanation
DeepCamp AI